Many South African businesses believe they are operating within the law. They have policies in place, file some statutory returns and may even have compliance files neatly stored away.

Yet a growing number of organisations are unknowingly breaking the law and exposing themselves to severe financial, legal and reputational consequences. As an example, in the 2023/24 financial year the Financial Sector Conduct Authority (FSCA) imposed almost R943 million in fines on firms that failed to address anti-money laundering weaknesses.

According to Muhammad Ali, managing director of ISO specialist World Wide Industrial & Systems Engineers (WWISE), companies across industries consistently equate paperwork with compliance. “In reality, compliance failures are often hidden in daily operations, systems and governance structures rather than obvious acts of misconduct,” Ali says.

Basic statutory obligations are frequently overlooked. Missed annual returns, incorrect tax filings, incomplete statutory registers and failures to submit returns to the SA Revenue Service (SARS), Companies and Intellectual Property Commission (CIPC), Unemployment Insurance Fund (UIF) or in terms of the Compensation for Occupational Injuries and Diseases Act (COIDA) remain common.

This is particularly true among smaller businesses. Tax compliance failures, including incorrect VAT applications, late corporate tax submissions and poor record-keeping, often trigger audits, penalties and reputational damage. A 2025 survey of 400 South African small-enterprise owners by small-business software platform Xero found that more than a quarter (27%) said submitting tax returns was one of their biggest stressors.

Another major blind spot in terms of unknowingly breaking the law is data protection. While many organisations believe a privacy policy is sufficient to meet the requirements of the Protection of Personal Information Act (POPIA), audits regularly reveal inadequate cybersecurity controls, poor consent management and ineffective breach response.

This false sense of security is becoming increasingly dangerous as enforcement ramps up. The Information Regulator recorded 1 355 POPIA complaints in the 2024/2025 financial year, reflecting growing public awareness and regulatory scrutiny.

Transformation compliance presents another major risk area. Ali warns that many organisations still treat Broad-Based Black Economic Empowerment (B-BBEE) as a tick-box exercise. “Misinterpreting scorecard requirements or appointing nominal directors or partners without genuine participation is not just non-compliance, it is fronting, which constitutes criminal fraud,” he says.

Labour law violations are equally widespread. Businesses frequently breach the Employment Equity Act, minimum wage provisions, maximum working hours and fair dismissal requirements, often without malicious intent.

Occupational health and safety is another area where assumed compliance masks legal exposure. WWISE audits repeatedly uncover outdated risk assessments, insufficient worker training, incomplete safety documentation and weak competency management.

“Having a SHE (Safety, Health, and Environmental file) does not automatically mean you are compliant with the Occupational Health and Safety Act. If controls are not embedded into how work is actually performed, legal exposure remains,” Ali notes.

Beyond individual regulatory breaches, Ali highlights weak corporate governance as a systemic issue. He says many organisations underestimate governance obligations such as maintaining policies, documenting controls and keeping evidence of compliance activities.

Anti-money laundering compliance under the Financial Intelligence Centre Act (FICA) is another emerging risk. Poor customer due diligence, weak risk assessments and failures to report suspicious transactions are common. “Some organisations simply don’t realise they qualify as accountable institutions under FICA,” Ali says.

Despite these risks, many businesses still view compliance as a narrow legal or HR function rather than a core business risk. Ali attributes this to the way compliance historically developed.

“Compliance grew out of contracts, labour law and disciplinary processes, so it became associated with legal and HR departments. Over time, it turned into checklists, forms and training sessions, instead of being embedded into operational systems.”

This fragmented approach is increasingly dangerous as penalties escalate. POPIA fines can reach R10 million, while FICA penalties can be as high as R50 million for companies.

To address these challenges, Ali argues that compliance must shift from a reactive exercise to an integrated management discipline. International ISO management system standards play a critical role in this transition.

While no ISO standard is tax-specific, frameworks such as ISO 9001 for quality management, ISO 31000 for risk management, ISO/IEC 27001 for information security and ISO 44001 for collaborative business relationships help organisations systematically identify and manage compliance obligations.

In the occupational health and safety space, ISO 45001 embeds legal compliance directly into risk-based operational processes. Similarly, ISO 14001 addresses environmental compliance by requiring organisations to identify environmental aspects across the full life cycle of products and services, actively monitor legal changes and involve leadership in environmental governance.

Ultimately, Ali believes ISO-aligned management systems help organisations move beyond fear-driven compliance. “They embed risk-based thinking, strengthen leadership accountability and encourage cross-functional collaboration. Compliance stops being something you do when forced and becomes part of how the organisation operates.”